F5 AWAF parent policy serves as a baseline security template from which individual web application security policies can inherit. This approach ensures consistency across all applications, reduces the administrative overhead associated with creating and updating policies, improves overall security by applying uniform and up-to-date security measures, and enhances scalability in managing application security.

In this section, we will discuss and demonstrate the benefits and implementation of the F5 AWAF parent policy.

Table of Contents

Parent and Child Security Policy in F5 AWAF

To start the demonstration, let’s begin by creating a security policy of the type “parent policy“. By default, when you create a security policy, the policy type is set to “security,” which can be assigned to a virtual server. However, you can change the policy type to “parent.” When you switch the “policy type” to “parent,” the security policy can no longer be applied to a virtual server. In this example, we create a security policy named “parent” with the policy type set to “parent,” based on a comprehensive security template with learning mode set to manual.

create a security policy with parent policy type in F5 AWAF
create a security policy with parent policy type in F5 AWAF

Next, we create another security policy named “child” with the default policy typesecurity“, which inherits from the “parentpolicy. This policy can still be assigned to a virtual server since it is a standard security policy, but it inherits certain properties from the parent policy. For example, you will see that “signature accuracy” and “signature staging” are inherited from the parent policy and cannot be modified.

create a security policy that inherits from the parent policy
create a security policy that inherits from the parent policy

If you check the list of security policies, you will notice that the appearance of policies of the “parenttype is different. A hierarchical structure icon is displayed beside the policy name, indicating its role as a parent policy.

compare the appearance of parent and child security policies
compare the appearance of parent and child security policies

In the parent security policy, each setting has three inheritance options:

  1. Mandatory: The child security policy must inherit and cannot change these properties.

  2. Optional: The child security policy inherits these properties from the parent but can override them with its own settings.

  3. None: The properties are not transferred to the child security policy, allowing the child policy to define its own configuration independently.

To see the impact of these three options, we will set “Data Guard” as “Mandatory“, “Attack Signatures” as “Optional,” and “File Types” as “None.”

Control in parent security policy which policies must or does not have to or optionally be inherited by child security policy
Control in parent security policy which policies must or does not have to or optionally be inherited by child security policy

We will then enable the “Data Guard” feature in the parent policy, set the “pdf” file type to disallowed, and disable a specific attack signature. This will allow us to check how these settings are reflected in the child security policy.

create some policies in parent security policy
create some policies in parent security policy

Now, if we check the inheritance settings of the child security policy, we observe the following:

  • The “Attack Signatures” settings are inherited, but you can decline it and override them with your own policy since the parent policy’s inheritance setting is “Optional“.

  • The “Data Guard” setting is inherited and cannot be changed, as it is configured as “Mandatory” in the parent policy.

  • The “File Types” settings are not inherited, as the parent policy’s inheritance option is set to “None“.

effect of inheritance in security policy in F5 AWAF
effect of inheritance in security policy in F5 AWAF

Now, if you check the “Data Guard” setting in child security policy, you will notice that it is activated by the parent policy and cannot be changed. The „File types“ security policy is completely independent of the parent policy. The „Attack signatures“ configuration is inherited from the parent policy, but you must decline the inheritance to modify the configuration.

how policies can be manipulated in child security policy
how policies can be manipulated in child security policy

Let’s decline the inheritance in the “Attack Signatures” section of the child security policy to ensure that we can change and override the attack signature configuration.

impact of declining optional inherited policy in the child security policy in F5 AWAF
impact of declining optional inherited policy in the child security policy in F5 AWAF
Back to: F5 BIG-IP AWAF (formerly ASM) > F5 AWAF Security Policy

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment